Use new --disable-userns bubblewrap feature when possible

This feature (added in containers/bubblewrap#488) allows us to improve the guarantees of disallowing the sandbox to use recursive user namespaces (which is a security risk) compared to the existing limits that use seccomp. This doesn't work with a setuid bubblewrap, so if you're using that you now have to build flatpak with --with-priv-mode=setuid, even when using the system bubblewrap.
alexlarsson · Sep 6, 2022 · d087ed2 · d087ed2
1 parent 8b39921
commit d087ed2
Show file tree

Hide file tree

Showing 2 changed files with 27 additions and 0 deletions.
diff --git a/common/flatpak-run.c b/common/flatpak-run.c
@@ -4640,6 +4640,29 @@ flatpak_run_app (FlatpakDecomposed *app_ref,
       if (pidns_fd != -1)
         flatpak_bwrap_add_args_data_fd (bwrap, "--pidns", pidns_fd, NULL);
     }
+  else
+    {
+      /* Disable recursive userns for all flatpak processes, as we need this to guarantee
+       * that the sandbox can't restructure the filesystem. Allowing to change e.g. /.flatpak-info
+       * would allow sandbox escape via portals. This is also done via seccomp, but here we
+       * do it using userns unsharing in combination with max_user_namespaces.
+       *
+       * Unfortunately that is incompatible with --userns as used in the pid sharing code
+       * above. However, that will switch into a userns that has the right limit anyway.
+       *
+       * If bwrap is setuid, then --disable-userns will not work. We don't want to enable
+       * --disable-userns with a runtime check though, as then you might be able to disable it.
+       * So, for setuid based system you need to build flatpak with --with-priv-mode=setuid
+       * to disable this check.
+       */
+#ifndef BWRAP_IS_SETUID
+      if (0)
+        {
+      flatpak_bwrap_add_arg (bwrap, "--unshare-user");
+      flatpak_bwrap_add_arg (bwrap, "--disable-userns");
+        }
+#endif
+    }
 
   flatpak_bwrap_populate_runtime_dir (bwrap, shared_xdg_runtime_dir);
 

diff --git a/configure.ac b/configure.ac
@@ -381,6 +381,10 @@ AC_ARG_WITH(priv-mode,
 
 AM_CONDITIONAL(PRIV_MODE_SETUID, test "x$with_priv_mode" = "xsetuid")
 
+if test "x$with_priv_mode" = "xsetuid"; then
+   AC_DEFINE([BWRAP_IS_SETUID], [1], [Define if using setuid bwrap])
+fi
+
 AC_ARG_ENABLE(sudo,
               AS_HELP_STRING([--enable-sudo],[Use sudo to set setuid flags on binaries during install (only needed if userns disabled)]),
               [SUDO_BIN="sudo"], [SUDO_BIN=""])